McAfee ENDPOINT ENCRYPTION ENTERPRISE - BEST PRACTICES GUIDE Specifiche

Best Practices GuideMcAfee® ePolicy Orchestrator® 4.0 and4.5

Task1Click Menu | Automation | Server Tasks to open the Server Tasks Builder.2Click Edit for one of the following tasks.• Duplicate Agent GUID — Clear

Task1Under Reliability and Performance, click Monitoring Tools | Performance Monitoring, then click the plus sign(+). The Add Counters dialog box appe

You can also check how quickly your ePolicy Orchestrator server processes events from agents bylooking in the Events folder on the McAfee ePO server.

• "4.0.0" — Is the product revision number• "1421" — Is the build number. That build number indicates this is "Patch 2"T

• Because the scan timed out due to the size of the file, which is a 1059 event• The file was not scanned because it was inaccessible due to a passwor

13SQL maintenanceFor your McAfee ePO server to function correctly it is very important to have a well performing SQLdatabase. It is the central storag

Setting up a maintenance task to automatically reindex and rebuild your ePolicy Orchestrator SQLdatabase only takes a few minutes and is essential to

14Disaster recovery Many ePolicy Orchestrator users want to know how to set up ePolicy Orchestrator for a disasterrecovery scenario. There are a few o

Use server clusters for disaster recoveryIf you require zero downtime if a hardware failure occurs you can cluster your ePolicy Orchestrator andSQL se

Now, if the primary site fails you must make all the agents previously communicating with the primaryMcAfee ePO server start communicating with the s

2ePolicy Orchestrator product architectureThe ePolicy Orchestrator software architecture offers extensive functionality that can be configuredmany dif

15Reference documentationFollowing are several informative and valuable links for your McAfee implementation.Product videosSupport Video Tutorials— Th

Other Informative ArticlesDeploying SQL Server 2005 with SAN #1Deploying SQL Server 2005 with SAN #2Deploying SQL Server 2005 with SAN #3SQL Storage T

IndexAabout this guide 7Active Directoryorganizing the System Tree 51synchronization 46, 51AD, See Active DirectoryAgent Handlersabout 11, 35increased

databases (continued)installed with ePolicy Orchestrator 13maintaining 105recommended hardware 17reindex 105restoring 107server clusters for disaster

IP address (continued)used to sort the System Tree 52LLDF file 14Mmaster repositorydefault 29disabling from ePolicy Orchestrator server 73on ePolicy O

server tasks (continued)acting on a query 69serverscombining ePolicy Orchestrator and database 13disaster recovery 107finding performance problems 100

1ePO server — Connects to the McAfee update server to download the latest security content2ePO Microsoft SQL database — Stores all the data about the

-00

6McAfee update server — Hosts the latest security content so your ePolicy Orchestrator can pullthe content at scheduled intervals.7Distributed reposit

Use VMs for the McAfee ePO ServerThe McAfee ePO server supports multiple versions of virtual environments, but when your node countreaches 25,000 to 3

Manage fewer than 5,000 nodesIf you have fewer than 5,000 nodes to manage with the McAfee ePO server, disk configuration is rarelyan issue. Use your n

• RAID 1 for the operating system with individual partitions for the SQL database (the MDF file) andthe SQL transaction log (the LDF file).• RAID 1 fo

SAN usageStorage area network (SAN) devices are the standard configuration for larger storage requirementssuch as SQL databases that require backup a

The following sections offer hypothetical environments to provide some guidelines for organization sizeand hardware requirements.These example provide

Medium organization exampleA medium organization ranges from 5,000 to 25,000 nodes. A single McAfee ePO server can easilymanage this size organization

COPYRIGHTCopyright © 2011 McAfee, Inc. All Rights Reserved.No part of this publication may be reproduced, transmitted, transcribed, stored in a retrie

• 16 processors• 32 – 128 GB of RAM• At least 300 GB of space for the SQL databaseThese are not upper limits for hardware. If you have the budget fora

3RepositoriesA repository is a file sharing device that serves out files for clients to download. It does not managepolicies, collect events, or have

• UNC share repositories• SuperAgentsThere are several things to keep in mind about these repositories:• The McAfee ePO server requires certain protoc

1Create the folder2Adjust share permissions3Change the NTFS permissions4Create two accounts, one with read and another with write accessAll of these t

Creating a new SuperAgent policyA SuperAgent policy allows you to assign that policy to client machines to convert them to SuperAgents.Task1From the P

Task1From the System Tree, click System Tree Actions | New Subgroup and give it a distinctive name, forexample 1_SuperAgents. 2Click OK. The new grou

Task1From the SuperAgent group you created, click the Assign Policies tab and select McAfee Agent from theProduct list.2From the Actions column, click

Task1In the System Tree, click the Systems tab and find the system you want to change to a SuperAgentrepository.2Drag that row with the system name an

To download the daily DAT file randomly from the central ePO server to the system agents takes thefollowing bandwidth: 100 Agents * 200 KB file = 20 M

Example 2 — A large office in TokyoThe large office in Tokyo needs to download the 200 Kb per day for DAT files to its 4,000 nodes, usingthe formula:(

Contents1 Preface 7About this guide ...7Audience ...7Conventions ...

Server hardware Nodes updated Dedicated or sharedclient hardwareSingle 3 Ghz processor with 4 GB of memory 3,000 Shared with otherapplications3,000 –

The EMEA offices have another data center in the UK with several other offices across EMEA. Theseother offices range from 200 nodes 3,000 nodes. The o

Improve agent update performanceIn large environments, the ePolicy Orchestrator server is already very busy distributing policies andcollecting events

How Global Updates worksIf the McAfee ePO server is scheduled to pull the latest DATs from the McAfee website at 2 p.m.Eastern time, and it changes th

4Agent HandlersAgent Handlers co-ordinate work between themselves and the McAfee ePO server that communicateswith the remote Agent Handlers. Agent Han

5Installation and upgrade of ePolicyOrchestrator softwareThere are two types of ePolicy Orchestrator installations: a new installation in an environme

• You retain all your policies and client tasks — This means you don't have to rebuild them andcould save you time.• You retain your directory st

• Test your upgrade in a VM environment with a copy of your SQL database to make sure theupgrade works smoothly.• Validate all your settings to confir

6 McAfee Agent 43Agent functionality ...43Deploying agents ...44Deploy from the McAfee

Move McAfee Agents between servers Before the release of ePolicy Orchestrator 4.5, many customers wanted an upgrade path that wouldallow them to start

Exporting and import the ASSC keysYou must export the agent-server secure communication (ASSC) keys from the old server to the newserver before moving

3Select the systems to move to the new McAfee ePO server and click Actions | Agents | Transfer Systems.The Transfer Systems dialog box appears. 4Sele

6McAfee AgentThe McAfee agent is the liaison between all point-products and the McAfee ePO server. This 5 MBexecutable file is not a security product

Once an agent is installed on a system, you never need to use a third-party deployment tool to updateanything on that client.Figure 6-1 One agent to

The McAfee Agent is a 5 MB executable file that can simply be executed manually or more commonlydeployed on a larger scale to hundreds or thousands of

If you gave this custom McAfee Agent to your desktop team a year ago, it is probably outdated. Itbecomes outdated if, for example you have made change

• The machines in your AD tree must be well maintained. This is not always the case in many largerorganizations. Machines need to be deleted and place

Using third-party tools is not a requirement, but your organization might have strict policies thatdictate how products are deployed for consistency a

Confirm you deleted the agent GUID before freezing the imageIf you choose option 1, Include the agent in your Windows image it can cause one of the mo

14 Disaster recovery 107Configuring simple disaster recovery ...107Use server clusters for disaster recovery ...

7Organizing your System TreeYour System Tree is a very important feature of your McAfee ePO server and you can configure theSystem Tree hierarchy in m

Dynamically sorting your machines To dynamically sort your machines into your ePolicy Orchestrator System Tree use a combination ofsystem criteria, su

Organizing your System TreeDynamically sorting your machines7McAfee® ePolicy Orchestrator® 4.0 and 4.5 Best Practices Guide53

8Policies and packages Policies are the settings that govern each product on the endpoint. Packages are the binaries that canbe deployed by the McAfee

This is not an exhaustive list and new products are constantly being added as McAfee expands itssolution portfolio. Because of the McAfee ePO server&

• Collects and sends its properties to the McAfee ePO server or Agent Handler• Checks to see if any policy changes or client tasks have occurred on th

Configuring ASCI Configure the ASCI to determine how often every McAfee Agent calls the McAfee ePO serverThe ASCI is set to 60 minutes by default. If

Task1Click Menu | Policy | Policy Catalog, then select McAfee Agent from the Product list and General from theCategory list.2Click the General tab, an

1Click Menu | Policy | Policy Catalog, then select McAfee Agent from the Product list and General from theCategory list.2Click the General tab, and ty

TaskFor option definitions, click ? in the interface.1Click Menu | Configuration | Server Settings, then in the Settings Category pane click Repositor

9Client tasks Client tasks run on the clients and are typically scheduled to run at a specific time. They are differentfrom policies because they are

Configuring which products are deployed Configure the agent client to deploy a product. See McAfee ePolicy Orchestrator 4.5 Product Guide fordetails.T

nodes and you only have one repository, those 5,000 nodes are pulling a total of 180 GB of data fromthat one repository when the deployment task is ex

Signatures, or DAT files, are released on a daily basis at approximately 11 a.m. Eastern time andaverage 200 Kb per day. Optionally, you can deploy ot

4Choose the content to update using this task. In this example the Daily Master Update task downloads the VirusScan Enterprise DAT and Enginefiles.If

5Click Next to configure the schedule for this task.The key to a good update task is updating several times per day at completely random intervals.Man

10Server tasks Server tasks are any item that is scheduled to run on the McAfee ePO server itself. Using server tasksproperly can significantly improv

PrefaceContents About this guide Finding product documentationAbout this guideThis information describes the guide's target audience, the t

1Give your server task a descriptive name.2Choose an action then a subaction. This is the most important part of creating your task. After thetask per

3Configure a weekly report.• Click Run Query from the Actions list.• Click Managed Inactive Agents query from the Query list dialog box that appears,

3Configure an email report.• Click Run Query from the Actions list.• Click Managed Inactive Agents query from the Query list dialog that appears, then

of content into each branch. Then the different versions can be rolled out to a selected group of testmachines before a full deployment to the entire

3From the Repositories list, find the McAfee ePO server and click Disable in the Actions column. 4Click Save to disable the McAfee ePO server reposit

TaskFor option definitions, click ? in the interface.1Click Menu | Automation | Server Tasks, then click Action | New Task. The Server Task Builder di

events is only 10 days because it collects all URLs that are visited by managed machines. Thiscan save a lot of data in environments with greater than

Deleting inactive systems automaticallyMost environments are constantly changing, new systems are added and old systems removed. Thiscreates inactive

1Click Menu | Automation | Server Tasks and click Edit for the Inactive Agent Cleanup Task for 4.5 in theAction column. The Server Task dialog box app

Changing the Managed Inactive Agents queryThe Inactive Agent Cleanup server task uses a preconfigured query named Managed Inactive Agents.Whichever sy

Finding product documentationMcAfee provides the information you need during each phase of product implementation, frominstallation to daily use and t

11ReportingePolicy Orchestrator ships with its own querying and reporting capabilities. These are highlycustomizable, flexible and easy to use. The Qu

The following example shows some of the categories of preconfigured queries provided with theePolicy Orchestrator software. Custom queries Creating c

• Have not communicated with the McAfee ePO server in a while• Are suspected of not working properly when you attempt to wake them up• Need a new agen

Creating custom event queries Create a custom query.Task1Click Menu | Reporting | Queries, then Actions | New Query. The Query Wizard appears starting

ReportingCustom queries11McAfee® ePolicy Orchestrator® 4.0 and 4.5 Best Practices Guide85

3You must choose the label or variable that you want the report to display. There are many variablesyou can choose to have the McAfee Agent reports di

4You can choose the columns that you want to see if you drill down on any of the variables in yourreport. This is not a critical component when buildi

5Click Next to not create any filters and display all of the operating system types.6Click Run to generate the report and see the results. After you

3Click Events in the Features Group and Client Events in the Result Type. Click Next to continue to theChart dialog box. 4Under Summary, click Single

1History of McAfee ePolicy OrchestratorsoftwareePolicy Orchestrator software is a mature security management platform that delivers the quality andsta

5Click Event Description, in the Labels are list, under Threat Event Descriptions to create a filter with agood human readable description of the even

8Click Run to display the query report. In this example there are 308 client events total. If you want, you can click one event and drilldown on it t

5Click Event Description, in the Labels are list, under Threat Event Descriptions to create a filter with agood human readable description of the even

8Click Run to display the query report. The McAfee ePO server displays approximately 8,000 threat events total.The data shown in this example comes f

9To determine approximately how many events you should have on your network use the followingformula:(10,000 nodes) x (1 to 2 million events) = estima

4If the event is important, make sure you are monitoring the number of events using theCreating event summary queries and Purging events automatically

5Click Next to skip the Columns dialog box. You can choose the columns you want to analyze.You can skip this step because the McAfee ePO server does n

11Find the custom query you just created and click it in the list. 12Schedule the task to run every night, then click Save.You can use this technique

12FAQ and common scenariosThis chapter contains some frequently asked questions (FAQs) and some common scenarios that anePolicy Orchestrator administr